Despite the best efforts of federal agencies and the near constant media coverage of threats, most government cybersecurity initiatives remain reactive. Once a threat is detected, agency teams typically scramble to identify the source of the intrusion and take necessary steps to mitigate its impact. The nature of the business can make planning and, therefore, budgeting a seemingly impossible task.
Unfortunately, federal IT security professionals’ and program managers’ hands are tied, thanks to limited budgets and time. They worry about the costs and schedules involved in proactively creating a compelling cybersecurity program. Beyond that, they traditionally have not had the necessary tools to develop accurate estimates of what it will take to create these programs. They have been left only able to make educated guesses that leave them stuck in reactive mode.
Agency project managers need to be able to build and develop their cybersecurity systems just as they would a software project. They need accurate planning and estimation that will allow them to consider timeframes, appropriate staff, potential costs, quality, risk, and other key factors.
QSM’s Proven Estimation Approach Applied to Cybersecurity
These are the benefits provided by our Software Life Cycle Management (SLIM) Suite of tools, which use parametric estimation algorithms and are based on detailed analytics, historical data, and our proven methodologies for IT project estimation. These tools and methods are particularly beneficial for large-scale, complex projects that require a great amount of estimation, tracking, and analysis to achieve the right mixture of staff and effort for on-time, on-budget delivery.
Although the SLIM Suite was designed for estimating the development and maintenance of software projects, it can do much more. In addition to being beneficial for planning complex IT infrastructure projects, SLIM can also be effectively used to accurately estimate the costs and schedules associated with the development of large-scale cybersecurity initiatives. Indeed, the SLIM parametric analysis methodology can easily be adapted to size the actual work effort required not only to develop overall federal information systems, but also the specific cybersecurity components of those systems.
Using the NIST Blueprint
We start with an already-existing government blueprint – NIST Special Publication 800-53. This National Institute of Standards and Technology standard is the most prescriptive guidance of security controls required by federal agencies. It provides detailed recommendations of the various low-, medium-, and high-impact security controls that government agencies need to implement to achieve minimal security postures.
Within SLIM, we have created a work breakdown structure (WBS) that mapped to the security controls category requirements contained within NIST Special Publication 800-53. This allows us to provide government agencies with an accurate representation of the costs and effort required to implement each of these categories. Through SLIM, agency IT program and security managers can receive easy-to-understand graphic depictions of the estimated size, cost, schedule, etc., of their information systems. SLIM takes the sizing of the information systems and compares it to what is necessary to accomplish an agency’s cybersecurity goals. Based on the analysis, SLIM then provides a realistic estimate of how much it will cost to develop the mandated security controls outlined within each category of the NIST publication.
This solves multiple challenges. First, it provides program managers with the knowledge and insight necessary to build a cybersecurity posture based on the requirements outlined in the NIST database. More importantly, it allows them to do so based on a quantitative analysis of trends and evidence regarding the specific historic and analogous costs associated with these activities. No one will ever be able to predict the costs incurred by reacting to unexpected intrusions. However, for the first time, teams are able to perform upfront cost analysis for adherence to the minimal security standards called for by NIST – all through the use of a proven parametric methodology.
While our approach can be used to build a strong cybersecurity-costing framework today, its full potential will ultimately be realized through the use of relevant historical data. Just as with software or IT infrastructure, the sizing and cost estimates provided by parametric analysis are more accurate the more they are supported by actual information from past projects.
Collecting historical data today will provide us with better information for tomorrow. We’ll progressively be able to offer more accurate cybersecurity cost and staffing estimates and better predict the time it will take to develop our information systems. Ultimately, we’ll be able to help federal agencies build more secure systems that “check off all the boxes” – developed within budget, on time, with the right number of people, all of which will be known upfront.
If you are an organization faced with estimating cybersecurity requirements costs for your federal systems and would like to see how our SLIM-driven parametric approach may look in your environment, we’d love to hear from you. Together, we can build off of what QSM has already started: a quantified approach that enables organizations to more accurately estimate the cost of cybersecurity in their unique environments.